Russian hacker 'militia' mobilizes to attack Georgia
Volunteers, botnet owners join forces to knock sites offline, say researchers
Computerworld - Security researchers today disputed claims that a well-known Russian hacker-hosting network is responsible for cyberattacks against sites belonging to Georgia, the former Soviet republic that has been battling Russian military forces since Friday.
Rather than blame the notorious Russian Business Network -- as researcher Jart Armin did over the weekend -- other researchers said today that it appears that the attacks originated from a "hacker militia" of Russian botnet herders and volunteers.
"They mobilize themselves without a need for a central location to do so, distribute the targets, discuss the attack approaches, come up with a plan on the coordination, and you have everyone participating," Bulgarian security researcher Dancho Danchev said in an instant messaging interview early today.
Danchev and others have found evidence that points to a self-starting militia composed of volunteer hackers and cybercriminals who control large-scale bots, or collections of previously-compromised computers, as being behind the escalating attacks that have knocked Georgian sites offline.
"A lot of it started with posting on blogs," said Kimberly Zenz, a senior threat analyst at VeriSign Inc.'s iDefense Labs. "A bunch of youth groups posted something that was almost a manifesto that called on supporters to 'wage an information war' against Georgia."
That call to arms was only one of many, said Zenz and Danchev, both whom noted similarities to the attacks against several hundred Lithuanian Web sites early last month.
But while the forces assembled only appear to be uncoordinated to the untrained eye, they are in fact very coordinated, both researchers argued. In a lengthy blog post on ZDNet, Danchev spelled out the coordinated steps that someone -- or some group -- took to rally the hacker troops and turn them against specific targets.
"In the ongoing Russian vs. Georgia cyberwar, we have an indication of lists [of Georgian governmental sites] actively distributed across Russian Web forums," said Danchev in the blog entry. He also said there were signs that hackers had been provided simple distributed-denial-of-service (DDoS) tools, and that lists of Georgian sites vulnerable to SQL injection attacks had been circulating.
"Someone is coordinating activities," said Zenz, "by posting on blogs and forums instructions that essentially say, 'This is what we're going to do.' But we don't know who's behind that."
That coordination, said Danchev, was sophisticated enough to launch DDoS attacks against one of the most popular hacker forums in Georgia as a preemptive strike. But the attacks weren't entirely successful, since limited retaliations against Russian sites have succeeded. "Georgian hackers, or pro-Georgian hackers, [launched] distributed-denial-of-service [attacks against] RIA Novosti," he said via instant message. RIA Novosti is a Moscow-based news service.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts